Configuring Your Identity Provider (IdP)

IdP Requirements

To use SAML with Shares, you must already have an identity provider (IdP) that meets the following requirements:

IdP Metadata Formats

You must configure formats to set up your IdP to work with Shares:
Tag Format
NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID https://shares_ip/auth/saml/metadata/
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL https://shares_ip/auth/saml/callback

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Shares by going to https://server_ip/auth/saml/metadata and saving the XML as an XML file.

SAML Assertion Requirements

Shares: expects assertion from an IdP to contain the following elements:

Default Attribute Shares User Field Required
NameID / SAML_SUBJECT / id Username Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
email Email address Yes
given_name First name Yes
surname Last name Optional
member_of SAML group Necessary for SAML groups
Tip: All attributes other than NameID or SAML_SUBJECT or id can also use the urn:oasis:names:tc:SAML:2.0:attrname-format:basic format.